Note:
When reading through the Community posts you will see that PiHole is not recommended due to security issues. Since the pi-hole filters DNS records, DNSSEC is not possible from the client to the external DNS server (hope I explained this correctly).
I know you are not using DNSSEC but in my opinion you should.
The only way I was able to get everything to work with green AND blue zones was this:
https://discourse.pi-hole.net/t/dual-subnet-network-wired-wireless/46961
This is the same link I sent (above). Pi-hole has two zone or two subnet ability built into it. In my opinion you may be making this more difficult than you want.